CVE-2018-1088

moderate-risk

Published 2018-04-18

A privilege escalation flaw was found in gluster 3.x snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.

Do I need to act?

10.8% chance of exploitation in next 30 days

EPSS score — higher than 89% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.1/10 High

NETWORK / HIGH complexity

Affected Products (7)

Gluster Storage

Virtualization

Virtualization Host

Enterprise Linux Server

Leap

Debian Linux

Affected Vendors

Debian Redhat Opensuse

References (16)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html

Vendor Advisory https://access.redhat.com/errata/RHSA-2018:1136

Vendor Advisory https://access.redhat.com/errata/RHSA-2018:1137

Vendor Advisory https://access.redhat.com/errata/RHSA-2018:1275

Vendor Advisory https://access.redhat.com/errata/RHSA-2018:1524

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1558721

Mailing List https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html

Third Party Advisory https://security.gentoo.org/glsa/201904-06

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html

Vendor Advisory https://access.redhat.com/errata/RHSA-2018:1136

Vendor Advisory https://access.redhat.com/errata/RHSA-2018:1137

Vendor Advisory https://access.redhat.com/errata/RHSA-2018:1275

Vendor Advisory https://access.redhat.com/errata/RHSA-2018:1524

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1558721

Mailing List https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html

Third Party Advisory https://security.gentoo.org/glsa/201904-06

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 11/34 · Low

Exposure 14/34 · Moderate